Back to M2.2.2. - P1 - INFORMATION SECURITY RISK ANALYSIS
There is a lot of information related to the performance of information security risk assessments, and more details will be provided in a separate risk management document, therefore, this implementation guidance will just provide an overview of the most important concepts.
Consequences of losses of confidentiality, integrity or availability: The first part of assessing the consequences of losses of confidentiality, integrity or availability is to identify the business importance the information asset under consideration has. Damage to an asset that is important for the business is much likelier to cause severe consequences than an asset that is not as important. Based on the business use of the asset, the consequences for a loss of the following needs to be assessed:
A. CONFIDENTIALITY – This means the information asset is only accessible to those authorized to access it
B. INTEGRITY – This means the information asset has not been modified in any
unauthorized way
C. AVAILABILITY – This means the information asset is available, when needed
To make the results of this assessment comparable, scales should be used, which should have been defined in the Information Security Risk Management Policy (see M2.1.1 - P1 - INFORMATION SECURITY RISK MANAGEMENT POLICY above).
The assessment of these consequences should be done together with the business users of the information assets, as these can give important input into the process because they are aware of the security requirements for their assets. This can be done by interviews and/or questionnaires, but it is important to ensure that the business users understand what is asked from them.
As a result, each asset should have identified consequences of losses of confidentiality, integrity and availability..
LIKELIHOOD OF THREAT/VULNERABILITY COMBINATIONS
The input into the assessment of the likelihood that a particular threat exploits a vulnerability is based on very similar considerations as the identification of threats and vulnerabilities (see M2.1.1 - P1 - INFORMATION SECURITY RISK MANAGEMENT POLICY above). The likelihood of a threat occurring can be derived from threat catalogues and statistics, as well as incident records, audit logs and reports, etc. the entity has produced.
The level of vulnerability is based on how good or bad the controls are that have been put in place, so this can also be derived from the results of the gap analysis (see M2.1.1 - P1 - INFORMATION SECURITY RISK MANAGEMENT POLICY above). Finally, the likelihood of the threat to occur and the level of vulnerability are put together to determine the likelihood that this particular threat/vulnerability combination occurs. How exactly these values are put together has been defined in the Information Security Risk Management Policy (see M2.1.1 - P1 - INFORMATION SECURITY RISK MANAGEMENT POLICY above).
Determining the levels of risk: Based on the method to calculate risks, which has been chosen by the entity and has been documented in the Information Security Risk Management Policy (see M2.1.1 - P1 - INFORMATION SECURITY RISK MANAGEMENT POLICY above), the risks should now be calculated using the consequences and likelihoods that have been assessed.
PLEASE NOTE: The details on how to calculate the risks and which valuation schemes are used for consequences and likelihood is entirely up to the entity to decide. It is nevertheless important that the approach chosen is applied consistently.
